Detecting and responding to malicious acts directed towards machine learning model

ABSTRACT

A system detects and responds to malicious acts directed towards machine learning models. Data fed into and output by a machine learning model is collected by a sensor. The data fed into the model includes vectorization data, which is generated from raw data provided from a requester, such as for example a stream of timeseries data. The output data may include a prediction or other output generated by the machine learning model in response to receiving the vectorization data. The vectorization data and machine learning model output data are processed to determine whether the machine learning model is being subject to a malicious act (e.g., attack). The output of the processing may indicate an attack score. A response for handling the request by a requester may be selected based on the output that includes the attack score, and the response may be applied to the requestor.

BACKGROUND

Machine learning computing resources are becoming more popular inproducts and computing systems. With the increased presence of machinelearning model resources, so have the attacks perpetrated on machinelearning-based systems by bad actors. Traditional methods of virusdetection do not detect attacks made against most machine learningsystems. As such, what is needed is an improved method for detectingattacks on machine learning systems.

SUMMARY

The present technology, roughly described, detects and responds tomalicious acts directed towards machine learning models. Data fed intoand output by a machine learning model is collected by a sensor. Thedata fed into the model includes vectorization data, which is generatedfrom raw data provided from a requester, such as for example a stream oftimeseries data. The output data may include a prediction or otheroutput generated by the machine learning model in response to receivingthe vectorization data.

The vectorization data and machine learning model output data areprocessed to determine whether the machine learning model is beingsubject to a malicious act (e.g., attack). The output of the processingmay indicate an attack score, for example in the form of a predictionwhether the machine learning model is subject to malicious act. An alertmay be generated based on the value of the attack score. A response forhandling the request by a requester may be selected based on the outputthat includes the attack score, and the response may be applied to therequestor.

In some instances, the present technology provides a method formonitoring a machine learning-based system for malicious acts. Themethod begins by receiving vectorization data to the sensor. Thevectorization data is derived from input data intended for a machinelearning model and provided by a requestor. The sensor then receives anoutput generated by the machine learning model, wherein the machinelearning model generates the output in response to receiving thevectorization data. Vectorization data and the model output are thenprocessed by the processing engine to generate an attack score, theattack score indicating a likelihood of a malicious action towards themachine learning model via the vectorization data and model output. Aresponse is applied to a request associated with the requestor, theresponse based at least in part on the attack score, the responseapplied in place of the output of the first machine learning model.

In some instances, a non-transitory computer readable storage mediumincludes embodied thereon a program, the program being executable by aprocessor to perform a method for monitoring a machine learning-basedsystem for malicious acts. The method begins with receivingvectorization to the sensor. The vectorization data is derived frominput data intended for a first machine learning model and provided by arequestor. The sensor then receives an output generated by the machinelearning model, wherein the machine learning model generates the outputin response to receiving the vectorization data. Vectorization data andmodel output are then processed by the processing engine to generate anattack score, the attack score indicating a likelihood of a maliciousaction towards the machine learning model via the vectorization data andthe model output. A response is applied to a request associated with therequestor, the response based at least in part on the attack score, theresponse applied in place of the output of the first machine learningmodel.

In some instances, a system for monitoring a machine learning-basedsystem for malicious acts includes a server having a memory and aprocessor. One or more modules can be stored in the memory and executedby the processor to receive vectorization data by a sensor, thevectorization data derived from input data intended for a first machinelearning model and provided by a requestor, receive, by the processingengine, an output generated by the machine learning model, the machinelearning model generating the output in response to receiving thevectorization data, process the vectorization data and the model outputby the processing engine to generate an attack score, the attack scoreindicating a likelihood of a malicious action towards the machinelearning model via the vectorization data, and apply a response to arequest associated with the requestor, the response based at least inpart on the attack score, the response applied in place of the output ofthe first machine learning model.

BRIEF DESCRIPTION OF FIGURES

FIG. 1 is a block diagram of a system for detecting and responding tomalicious acts directed towards a machine learning model.

FIG. 2 is a block diagram of a customer data store.

FIG. 3 is a block diagram of a system data store

FIG. 4 is a method for intercepting vectorization data and a machinelearning model prediction.

FIG. 5 is a method for detecting and responding to malicious actsdirected towards a machine learning model.

FIG. 6 is a method for generating an alert.

FIG. 7 is an interface for reporting the status of detected maliciousacts directed towards a machine learning model.

FIG. 8 is another interface for reporting the status of detectedmalicious acts directed towards a machine learning model.

FIG. 9 provides a computing environment for implementing the presenttechnology.

DETAILED DESCRIPTION

The present technology, roughly described, detects and responds tomalicious acts directed towards machine learning models. Data fed intoand output by a machine learning model is collected by a sensor. Thedata fed into the model includes vectorization data, which is generatedfrom raw data provided from a requester, such as for example a stream oftimeseries data. The output data may include a prediction or otheroutput generated by the machine learning model in response to receivingthe vectorization data. By receiving the vectorization data rather thanthe raw timeseries data, the privacy and context of the data is keptsecret from the detection system that processes the vectorization data.

The vectorization data and machine learning model output data areprocessed to determine whether the machine learning model is beingsubject to malicious act, such as for example an attack. The processingmay include feeding the vectorization data and output into one or moreof several machine learning models, hash based filtering, andcorrelation of input and output of other requesters. The processingresults in a determination as to whether the current data is associatedwith the malicious act, if a trend suggests the data is not aspredicted, or if a distributed attack is or has occurred. The output ofthe processing may indicate an attack score, for example in the form ofa prediction whether the machine learning model is subject to maliciousact. An alert may be generated based on the value of the attack score.

A response for handling the request by a requester may be selected basedon the output that includes the attack score, and a response may begenerated and applied to the requestor. The response may be any ofseveral responses, such as for example providing a false series ofvalues, randomizing an output, implementing a honeypot response, orsimply disconnecting the requester. The present system may also reportstatus of the monitoring and malicious act detection trends of themachine learning model through one or more dashboards or interfaces.

FIG. 1 is a block diagram of a system for detecting and responding tomalicious acts directed towards a machine learning model. The system ofFIG. 1 includes users 105, customer environment 110, system environment130, and customers 160. Customer environment includes a transformationmodule 115 and machine learning model 125. In between the transformationmodule and machine learning model is a detection system sensor 120.

One or more users may provide a stream of data, such as a timeseriesdata, generalized input, or some other data type, to transformationmodule 115. The transformation module may convert the receivedtimeseries into a series of vectorized data. In some instances, thevectorized data may include an array of float numbers. The vectorizationof the received data is then provided to machine learning model 125 forprocessing. After processing the vectorized data, machine learning modelwill provide an output, such as a prediction, intended for therequesting user 105.

Detection system sensor 120 may collect the vectorized data provided bytransformation 115 and as well as the output provided by machinelearning model 125. The sensor 120 may then couple the vectorized dataand model output, and transmit the coupled data to the processing engine145 of system environment 130. Sensor 120 may forward the vectorizationdata received from transformation 115 to machine learning model 125.Sensor 120 may also provide the output of model 125 or implement adifferent response to the requesting user. For example, sensor 120 maygenerate and transmit a response to the requesting user based on datareceived from response engine 155. In some instances, sensor 120 maydisconnect the requesting user based on response data received fromresponse engine 155.

The sensor may be implemented in several ways. In some instances, asensor may be implemented as an API placed between the requesting userand the machine learning model. The API may intercept the request, andthen send the request to the machine learning model as well as to apublisher API. The publisher API may then transmit the vectorizationdata to a processing engine. The sensor API may then receive theresponse generated by the customer's machine learning model, and forwardthe response to the requesting user, if no malicious act is detected, orgenerate a different response based on data received from the responseengine 155.

In some instances, the sensor may be implemented by an API gateway aswell as a proxy application. The API gateway may receive the request,provide the request to the proxy application, which may then forward therequest to the machine learning model 125 as well as a publisher. Thepublisher may then forward the request to the system environment forprocessing by the processing engine 145. The machine learning model mayprovide a response to the proxy application, and the proxy applicationcan also receive response data from response engine 155. The proxyapplication may then either forward the machine learning model responseto the requesting user through the API gateway, if the user request isnot associated with a malicious act, or may generate a response based onthe response data received from the response engine 155 when the requestis associated with the malicious act on the machine learning model.

In some instances, a vector traffic instance may be implemented toforward a received request to the machine learning model 125. A trafficmirror source may collect the traffic originating from the vectortraffic instance and provide the traffic to a traffic mirror target,which then provides the traffic to a network load balancer. The networkload balancer may then forward the vectorization traffic data through aseries of traffic mirror worker applications, which then forward thevectorization traffic to processing engine 145. After processing thevectorization traffic, response engine 155 may provide response data tothe traffic mirror workers, which then generate a response to transmitto the vector traffic instance when a malicious act on the machinelearning model is detected.

Returning to FIG. 1 , system environment 130 includes customer datastore 135, system data store 140, processing engine 145, alert engine150, response engine 155, network application 160, and customers 165.Each of customer environment 110 and system environment 130 may beimplemented as one or more servers implementing the physical or logicalmodules 115-125 and 135-160 illustrated in FIG. 1 . In some instances,each environment is located in one or more cloud computing environments.

Environments 110 and 130 may communicate over a network. In someinstances, one or more modules may be implemented on separate machinesin separate environments which may also communicate over a network. Thenetwork may be implemented by one or more networks suitable forcommunication between electronic devices, including but not limited to alocal area network, wide-area networks, private networks, publicnetwork, wired network, a wireless network, a Wi-Fi network, anintranet, the Internet, a cellular network, a plain old telephoneservice, and any combination of these networks.

The customer data store 135 of FIG. 1 includes data associated with oneor more customers. The customer data stored may be accessed by anymodule within system environment 130. More information for customer data135 is discussed with respect to the system of FIG. 2 .

System data 140 includes data related to system environment 130. Systemdata may include event data, traffic data, timestamp data, and otherdata. The data may be accessed by any of modules 145-160, and may beused to generate one or more dashboards for use by customers 165. Moredetails for system data store 140 are discussed with respect to FIG. 3 .

Processing engine 145 may be implemented by one or more modules thatreceive and process coupled vectorization data and machine learningmodel output data. Processing the received coupled data may includeapplying one or more machine learning modeling techniques to the data todetermine if a malicious act has been performed against the customer'smachine learning model 125. The machine learning model techniquesapplied to the coupled data may include unsupervised learning orclustering, timeseries modeling, classification modeling, and othermodeling techniques. After the coupled data has been processed, theprocessing engine generates an attack score and provides that score toalert engine 150. Alert engine 150 may generate an alert based on thevalue of the score. In some instances, different alerts may be providedbased on the value of the score, with more urgent alerts generated for ahigher score. Alert engine 150 then passes the coupled data and theattack score to response engine 155. Response engine 155 may receive theattack score, and optionally other data, and select a response toimplement with respect to the requestor that transmitted the requestfrom which the vectorization data was created. The responses may includeanything such as providing a false series of prediction values having apattern of some sort, providing a randomized response, implementing ahoneypot response, or disconnecting the requester. Information about theselected response is provided to detection system sensor 120, which thengenerates and implements the response.

Response engine provides the selected response and the attack score tonetwork application 160. Network application 160 may provide one or moreAPIs, integrations, or user interfaces, for example in the form of adashboard, which may be accessed by customers 165. The dashboard mayprovide information regarding any detected or suspected malicious acts,attack trends, statistics and metrics, and other data. Examples ofdashboards providing malicious act data is discussed with respect toFIGS. 7 and 8 .

FIG. 2 is a block diagram of a customer data store. Customer data store200 of FIG. 2 provides more detail of customer data store 135 of FIG. 1. Customer data store may include customer data 210. The customer data210 may include data associated with all customers that provide machinelearning model 125. Customer data may include, but is not limited to, acustomer name, a unique user ID, a date that the customer data wascreated, a publisher token, a sensor identifier, and a letteridentifier. The sensor identifier may indicate what sensor is associatedwith the customer's machine learning model 125 that is being monitoredby the present system. A letter identifier may include an identifier fora particular alert engine that provides alert regarding the particularuser's machine learning model 125.

FIG. 3 is a block diagram of a system data store. System data store 300of FIG. 3 provides more detail for system data store 140 in the systemof FIG. 1 . System data store 300 include system data 310. The systemdata 310 may include, but is not limited to, vectorization data,prediction data, requester ID, sensor history, processing history, andalert history. The vectorization data may include the data generated bytransformation module 115 with a customer environment 110, for eachcustomer. Prediction data may include the output of machine learningmodel 125 that is intercepted by sensor 120, for each customer.Requester ID may include the source of raw data, such as timeseriesdata, which is provided from users 105 transformation 115. Sensorhistory includes a log of the actions performed by sensor 120, theplatform on which sensors are implemented, and other data regarding eachsensor. Processing history may include the history, such as loginformation, processing history, and other history for processing engine145 for each particular customer. Alert history includes data such asthe events occurring from alert engine 150, the status of alert engine150, and the alerts generated by alert engine 150 for each particularcustomer.

FIG. 4 is a method for intercepting vectorization data and a machinelearning model prediction. First, a customer environment receives arequest consisting of raw data from a user requester at step 405. Theraw data may include a stream of timeseries data, or other data provideddirectly from a requester to the customer's environment. Customertransformation engine then transforms the raw data into vectorizationdata at step 410. The vectorization data will not have any contextassociated with the requester, but will still be associated with arequester ID. The vectorization data cannot be processed to determinethe identity of the requester. In some instances, the vectorization datamay be in the format of an array of float numbers.

The customer transformation engine transmits the vectorization data to asensor at step 420. The sensor may be placed between the transformationmodule 115 and the machine learning model 125 to collect, or in somecases intercept, vectorization data transmitted to model 125.

The sensor may be provided in a variety of formats. In some instances,the sensor may be provided as an API to which vectorization data can bedirected. In some instances, the sensor may be implemented as a networktraffic capture tool that captures traffic intended for the machinelearning model. In some instances, the sensor can be implemented usingcloud libraries, for example a Python or C library, which can be pluggedinto customer software and used to direct vectorization traffic to theprocessing engine 145.

Machine learning model applies algorithms and/or processing to thevectorization data to generate a prediction at step 425. Machinelearning model 125 is part of the customer's environment and processesthe vectorization data that is transmitted by transformation module 115.In some instances, sensor 120, after collecting and/or intercepting thevectorization data, may forward the vectorization data to machinelearning model 125 to be processed. Machine learning model thentransmits the output prediction to sensor 120 at step 430.

The sensor couples the vectorization data and prediction at step 435.The sensor then transmits the coupled data to the remote systemenvironment 130 at step 440. At some point subsequently, the sensorreceives response data based on the coupled data at step 445. Theresponse data may be an indication of what response to send therequester generated by the system 130. In particular, the response datamay indicate a response selected by response engine 155, other than theprediction output, to be provided to the requester based on a detectionof a malicious act by the requester. The sensor generates a responsebased on the response data to the user requester at step 450. Theresponse may be a pattern of data other than the output generated bymachine learning model 125, randomized data, a honeypot based response,or a termination or disconnect of the session with the requester.

FIG. 5 is a method for detecting and responding to malicious actsdirected towards a machine learning model. First, a processing enginereceives the machine learning model vectorization and prediction coupleddata from the sensor at step 505. Processing engine then analyzes thereceived data using one or more machine learning techniques to generatean attack score at step 510. Performing machine learning to analyze thedata may include performing unsupervised learning or clustering on thereceived data, timeseries modeling, classification modeling, or someother machine learning based analysis and/or modeling on the coupleddata. In some instances, analyzing the data includes performingclustering on similar data to determine if there is a distributed attackunderway on the machine learning model at step 515. As a result ofanalyzing the coupled data, the processing engine generates an attackscore. The attack score may be an indicator as to the likelihood or apredictor of whether the machine learning model 125 provided by thecustomer is currently under attack or will be under attack in the nearfuture.

After determining the attack score, the processing engine provides thecoupled data and the attack score to an alert engine at step 520. Insome instances, the alert engine 150 of FIG. 1 may have severalinstances, with one instance per customer. The alert engine receives acoupled data and attack scores, generates alert as needed based on thereceived data and the scores, and provides the scores and data to aresponse engine at step 525. The alert engine may generate a differentalert based on the value of the received data. More details for an alertengine generating an alert is discussed with respect to the method ofFIG. 6 .

A response engine receives the coupled data and the attack score andgenerates response data for the user requester at step 530. The responsedata may include a selected response to apply to the requester if theattack score is over a certain threshold. For example, if the attackscores over 50%, then a response other than the output generated bymachine learning model 125 may be provided to the requester thatprovided the raw data to transformation 115. The selected response maybe based on user request, the category of the malicious act, the time ordate of the response, the history of attacks from the particularrequestor, and other data. The response engine transmits the responsedata for the user requester to the sensor at step 535. The sensorreceives the response data and generates a response based on theresponse data at step 540. The sensor executes the response, in somecases transmitting a response to the user requester, based on thereceived response data at step 545. The status of any attack on themachine learning model owned by the customer can be reported at step550. The reporting may include details, including raw data, metrics,current status, regarding the monitoring and detection data for sharinglearning model 125. More details regarding dashboards that providereporting data to a customer are discussed with respect to FIGS. 7 and 8.

FIG. 6 is a method for generating an alert. The method of FIG. 6provides more detail for step 525 of the method of FIG. 5 . Alert engine150 receives coupled data and attack scores from processing engine 145at step 605. A determination is made as to whether the attack scoresatisfies a highest threshold at step 610. The highest threshold mayindicate whether the highest level of alert should be generated for theparticular vectorization data and output coupled pair. In someinstances, an attack score of 90% or higher would satisfy the highestthreshold. If the attack score does not satisfy the highest threshold,the method of FIG. 6 continues to step 620. If the attack scores tosatisfy the highest threshold, a hilar flag is generated based on theattack scores, and the other data is stored in system data 140.

A determination is made as to whether the attack score satisfies thesecond highest threshold at step 620. In some instances, a secondhighest threshold may be between 80% to 90%. If the attack scores tosatisfy the second highest threshold, a medium alert flag may begenerated at step 625 based on the attack scores, and the medium alertflag may be stored in system data store 140.

A determination is made as to whether the attack score satisfies a thirdhighest threshold at step 630. If the attack score does satisfy thethird highest threshold, a low alert flag is generated based on theattack scores, and the alert is stored in system data store 140. If theattack score does not satisfy the third highest threshold, no alert flagis generated for the attack score. In this case, detection system sensor120 may provide the generated output of the machine learning model 125to the requester that provided the original request.

FIG. 7 is an interface for reporting the status of detected maliciousacts directed towards a machine learning model. The interface of FIG. 7includes windows for reporting events, risk, category, sensors,requesters, events, and event details. The events window may indicatethe number of events, the number of predictions, and the number ofevasions recorded by the present system. The risk window can report thenumber of high risks, medium risks, and low risks. The high, medium, andlow levels may be associated with the alert levels provided by alertengine 150. The category window may report categories of attacks on acustomer's machine learning model. In the interface 700 the categoriesinclude inference categories, replication categories, and divisioncategories. The sensors window indicates the number of sensors dedicatedto a user's machine learning model, and the number of requesters thathave been requesting usage of the machine learning model. The eventswindow indicates the total number of events that occurred with respectto the machine learning model of the customer.

The event details window indicates an event identifier, timestamp,category of attack, risk level, and context for each particular event.The event details may be scrolled and searched within interface 700.

FIG. 8 is another interface for reporting the status of detectedmalicious acts directed towards a machine learning model. Interface 800of FIG. 8 provides additional data regarding the monitoring and threatdetection associated with machine learning model 125. In particular, theinterface 800 of FIG. 8 may provide data in graphical format related toa mean vector score, asset deployment, risk tolerance, and geographicalinformation regarding the core of the requesters using the machinelearning model 125. The geographical information may be split intozones, and the data provided may include zone usage, responsedistribution for zone, and a regional view of the zones. Interface 800may also graphically display an anomaly distribution, asset health,number of active deployments, and anomalies by day, week, or month.Additionally, interface 800 may illustrate risk distribution indifferent formats, such as a bar view or calendar view.

The interfaces of FIGS. 7 and 8 are exemplary, and are not intended tobe limiting. The data collected, monitored, and the actions taken may bereported as raw data, metrics may be generated from the data, and trendsmay be determined from the data, all of which may be reported throughone or more interfaces or dashboards.

FIG. 9 is a block diagram of a computing environment for implementingthe present technology. System 900 of FIG. 9 may be implemented in thecontexts of the likes of machines that implement detection systemsensory 120, data stores 135 and 140, processing engine 145, alertengine 150, response engine 155, and network application 160. Thecomputing system 900 of FIG. 9 includes one or more processors 910 andmemory 920. Main memory 920 stores, in part, instructions and data forexecution by processor 910. Main memory 920 can store the executablecode when in operation. The system 900 of FIG. 9 further includes a massstorage device 930, portable storage medium drive(s) 940, output devices950, user input devices 960, a graphics display 970, and peripheraldevices 980.

The components shown in FIG. 9 are depicted as being connected via asingle bus 990. However, the components may be connected through one ormore data transport means. For example, processor unit 910 and mainmemory 920 may be connected via a local microprocessor bus, and the massstorage device 930, peripheral device(s) 980, portable storage device940, and display system 970 may be connected via one or moreinput/output (I/O) buses.

Mass storage device 930, which may be implemented with a magnetic diskdrive, an optical disk drive, a flash drive, or other device, is anon-volatile storage device for storing data and instructions for use byprocessor unit 910. Mass storage device 930 can store the systemsoftware for implementing embodiments of the present invention forpurposes of loading that software into main memory 920.

Portable storage device 940 operates in conjunction with a portablenon-volatile storage medium, such as a floppy disk, compact disk orDigital video disc, USB drive, memory card or stick, or other portableor removable memory, to input and output data and code to and from thecomputer system 900 of FIG. 9 . The system software for implementingembodiments of the present invention may be stored on such a portablemedium and input to the computer system 900 via the portable storagedevice 940.

Input devices 960 provide a portion of a user interface. Input devices960 may include an alpha-numeric keypad, such as a keyboard, forinputting alpha-numeric and other information, a pointing device such asa mouse, a trackball, stylus, cursor direction keys, microphone,touch-screen, accelerometer, and other input devices. Additionally, thesystem 900 as shown in FIG. 9 includes output devices 950. Examples ofsuitable output devices include speakers, printers, network interfaces,and monitors.

Display system 970 may include a liquid crystal display (LCD) or othersuitable display device. Display system 970 receives textual andgraphical information and processes the information for output to thedisplay device. Display system 970 may also receive input as atouch-screen.

Peripherals 980 may include any type of computer support device to addadditional functionality to the computer system. For example, peripheraldevice(s) 980 may include a modem or a router, printer, and otherdevice.

The system of 900 may also include, in some implementations, antennas,radio transmitters and radio receivers 990. The antennas and radios maybe implemented in devices such as smart phones, tablets, and otherdevices that may communicate wirelessly. The one or more antennas mayoperate at one or more radio frequencies suitable to send and receivedata over cellular networks, Wi-Fi networks, commercial device networkssuch as a Bluetooth device, and other radio frequency networks. Thedevices may include one or more radio transmitters and receivers forprocessing signals sent and received using the antennas.

The components contained in the computer system 900 of FIG. 9 are thosetypically found in computer systems that may be suitable for use withembodiments of the present invention and are intended to represent abroad category of such computer components that are well known in theart. Thus, the computer system 900 of FIG. 9 can be a personal computer,handheld computing device, smart phone, mobile computing device,workstation, server, minicomputer, mainframe computer, or any othercomputing device. The computer can also include different busconfigurations, networked platforms, multi-processor platforms, etc.Various operating systems can be used including Unix, Linux, Windows,Macintosh OS, Android, as well as languages including Java, .NET, C,C++, Node.JS, and other suitable languages.

The foregoing detailed description of the technology herein has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the technology to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. The described embodiments were chosen to bestexplain the principles of the technology and its practical applicationto thereby enable others skilled in the art to best utilize thetechnology in various embodiments and with various modifications as aresuited to the particular use contemplated. It is intended that the scopeof the technology be defined by the claims appended hereto.

What is claimed is:
 1. A method for monitoring a machine learning-basedsystem for malicious acts, comprising: receiving vectorization data by asensor a server, the vectorization data derived from input data intendedfor a first machine learning model and provided by a requestor;receiving, by the sensor, an output generated by the machine learningmodel, the machine learning model generating the output in response toreceiving the vectorization data; transmitting the vectorization dataand the output to a processing engine by the sensor; processing thevectorization data and the output by the processing engine to generatean attack score, the attack score indicating a likelihood of a maliciousaction towards the machine learning model via the vectorization data;and applying a response to a request associated with the requestor, theresponse based at least in part on the attack score, the responseapplied in place of the output of the first machine learning model. 2.The method of claim 1, wherein applying the response includes selecting,by a response engine, a response based on an output by a second machinelearning model within the processing engine, the output of the secondmachine learning model including a prediction of an attack on the firstmachine learning model.
 3. The method of claim 1, further comprisingcollecting the vectorization data by a sensor component, the sensorcomponent transmitting the collected vectorization data to theprocessing engine on the server.
 4. The method of claim 3, wherein thesensor component is created in a computing environment that proxies thefirst machine learning model.
 5. The method of claim 3, furtherincluding: collecting the output generated by the first machine learningmodel by the sensor component; coupling the vectorization data andoutput by the sensor component; and transmitting the coupledvectorization data and output to the processing engine by the sensorcomponent.
 6. The method of claim 3, further including: intercepting theoutput of the first machine learning model by a sensor component; andtransmitting a response generated by the sensor to the requestor inplace of the output, the response generated based at least in part onthe attack score.
 7. The method of claim 1, further comprisinggenerating an alert based on the attack score.
 8. The method of claim 1,further comprising reporting attack data to a user through a graphicalinterface, the attack data based at least in part on the attack score.9. A non-transitory computer readable storage medium having embodiedthereon a program, the program being executable by a processor toperform a method for monitoring a machine learning-based system formalicious acts, the method comprising: receiving vectorization data by asensor, the vectorization data derived from input data intended for afirst machine learning model and provided by a requestor; receiving, bythe sensor, an output generated by the machine learning model, themachine learning model generating the output in response to receivingthe vectorization data; transmitting the vectorization data and theoutput to a processing engine by the sensor; processing thevectorization data and the output by the processing engine to generatean attack score, the attack score indicating a likelihood of a maliciousaction towards the machine learning model via the vectorization data;and applying a response to a request associated with the requestor, theresponse based at least in part on the attack score, the responseapplied in place of the output of the first machine learning model. 10.The non-transitory computer readable storage medium of claim 9, whereinapplying the response includes selecting, by a response engine, aresponse based on an output by a second machine learning model withinthe processing engine, the output of the second machine learning modelincluding a prediction of an attack on the first machine learning model.11. The non-transitory computer readable storage medium of claim 9, themethod further comprising collecting the vectorization data by a sensorcomponent, the sensor component transmitting the collected vectorizationdata to the processing engine on the server.
 12. The non-transitorycomputer readable storage medium of claim 11, wherein the sensorcomponent is created in a computing environment that implements thefirst machine learning model.
 13. The non-transitory computer readablestorage medium of claim 11, the method further including: collecting theoutput generated by the first machine learning model by the sensorcomponent; coupling the vectorization data and output by the sensorcomponent; and transmitting the coupled vectorization data and output tothe processing engine by the sensor component.
 14. The non-transitorycomputer readable storage medium of claim 11, the method furtherincluding: intercepting the output of the first machine learning modelby a sensor component; and transmitting a response generated by thesensor to the requestor in place of the output, the response generatedbased at least in part on the attack score.
 15. The non-transitorycomputer readable storage medium of claim 9, the method furthercomprising generating an alert based on the attack score.
 16. Thenon-transitory computer readable storage medium of claim 9, the methodfurther comprising reporting attack data to a user through a graphicalinterface, the attack data based at least in part on the attack score.17. A system for monitoring a machine learning-based system formalicious acts, comprising: one or more servers including a memory and aprocessor; and one or more modules stored in the memory and executed bythe processor to receive vectorization data, by sensor, thevectorization data derived from input data intended for a first machinelearning model and provided by a requestor, receive, by the sensor, anoutput generated by the machine learning model, the machine learningmodel generating the output in response to receiving the vectorizationdata, transmit the vectorization data and the output to a processingengine by the sensor, process the vectorization data and the output bythe processing engine to generate an attack score, the attack scoreindicating a likelihood of a malicious action towards the machinelearning model via the vectorization data, and apply a response to arequest associated with the requestor, the response based at least inpart on the attack score, the response applied in place of the output ofthe first machine learning model.
 18. The system of claim 17, whereinapplying the response includes selecting, by a response engine, aresponse based on an output by a second machine learning model withinthe processing engine, the output of the second machine learning modelincluding a prediction of an attack on the first machine learning model.19. The system of claim 17, the modules further executable to collectthe vectorization data by a sensor component, the sensor componenttransmitting the collected vectorization data to the processing engineon the server.
 20. The system of claim 19, wherein the sensor componentis created in a computing environment that implements the first machinelearning model.